Research And Implementation Of SDN-oriented Network Structure Security Audit Technology

While Software-defined network technology provides today's network topologies with dynamically reconfigurable operation and maintenance capabilities,the dynamic changes in topologies pose new challenges to the concept and technology of information system level protection.For this reason,the dynamic structural security audit technology of software-defined networks has become a research topic.Facing Software-defined network,this paper studies the security audit architecture of network dynamic structure and presents a security audit technology of network dynamic structure.Based on the Software-defined network technology,the security domain is obtained by collecting,checking and detecting the static network topology and monitoring the dynamic changes of the network topology,updating and analyzing the network topology.Then,security domains such as access interception,intrusion detection,intrusion protection,virus protection and line confidentiality are abstracted.Access paths between domains are explored according to the characteristics of security domains,and the security compliance of these paths is measured along the routes.Repeat until all paths are measured for compliance with safety characteristics.Finally,the five security features of network structure are evaluated comprehensively.The main work of is summarized as the following five aspects:(1)In order to solve the challenges faced by the security audit model,the security audit concept of the network structure was re-identified and defined,the security audit model of the network structure was formally reconstructed,and the structural connectivity and behavior characteristics of the security audit pushdown machine of the network structure were analyzed from a mathematical perspective.It is proved that the security audit process of the network structure reconstructed in this paper has the property of final state reachable from the aspect of computability.Then a new computing mechanism is obtained.(2)In order to analyze the security domain,the analysis basis of security domain is re-analyzed and proposed,the security domain analysis model is restructured formally,and the structural connectivity and behavior characteristics of the security domain analysis pusher are analyzed from a mathematical level.From the aspect of computability,it is proved that the security domain analysis process reconstructed in this paper has the final state reachability.A new computer system was obtained.(3)According to the above new security audit mechanism,a new security audit framework algorithm is designed accordingly,and the principle and pseudo-code design of the three key algorithms of this framework design are expounded.They are security domain extraction sub-algorithm,access path compliance quantum algorithm and security evaluation sub-algorithm.The corresponding algorithm complexity analysis is given to provide the technical basis for designing and implementing the security audit prototype system of the network structure.(4)Following the GXEEA1702 project requirements,based on the above-mentioned framework technology and three key sub-algorithms as the technical basis,an object-oriented development method is used to design and implement a software-defined network-oriented network architecture security audit prototype system.(5)Following the GXEEA1702 project scenario,design test cases and use this to verify the functionality of the prototype system.The experimental results show that the network structure security audit for software-defined networks initially meets the project requirements,that is,it can collect network topology based on node information,node types and logs,extract security domains based on security domain analysis mechanisms,and extract access paths between security domains Measure compliance and evaluate security against security level requirements.Compared with the research of T Pereira1 et al.,this paper provides the analysis basis of security domain and forms the security domain analysis mechanism.In addition,the research of XMS and Liu Jing et al.focuses on a series of analytical measures taken when or after the occurrence of an attack.This system can not only be used when and after the attack occurs,but also when the attack does not occur,which can effectively prevent network invasion and ensure the security of network structure.